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DETAILED ACTION 

1. This is in reply to application filed on November 18, 2003. Claims 1-23 
have been examined. 

Priority 

2. This application does not claim priority of any application. Therefore, the 
effective filling data for the subject matter defined in the pending claims of this 
application is November 18, 2003. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under 
section 122(b), by another filed in the United States before the invention by the 
applicant for patent or (2) a patent granted on an application for patent by another 
filed in the United States before the invention by the applicant for patent, except that 
an international application filed under the treaty defined in section 351(a) shall 
have the effects for purposes of this subsection of an application filed in the United 
States only if the international application designated the United States and was 
published under Article 21(2) of such treaty in the English language. 

4. Claims 1-5. 12-23 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Campbell et al. (hereinafter referred to as Campbell) (U.S. Publication No. 
2004/0003284 Al) (filed on Jun 26, 2002). 

5. As per independent claims 1,33 and 23 and dependent claims 13-16 
Campbell discloses a method for tracking a virus [Abstract] (As it has been disclosed on 
the abstract the method is used to detect possible virus attacks and identify the source of 
the attacks within a computer network") comprising: 
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• Copying information from a first packet [Abstract and paragraph 
0025-0026] (On abstract and on paragraph 0026, it has been disclosed that in an 
off-line scan mode, the packets are copied and are passing through the switch 
and on paragraph 0025, it has been disclosed that because the ports of a network 
switch are directly connected to respective physical computers in the network, the 
detection of a virus signature or a virus attack pattern by the switch allows an 
unambiguous determination of the source of the network traffic that 
contains the virus attack and this implies that the detection of the virus includes 
getting information about the packets including the source and the destination 
address of the packets and such information being part of the packets are also 
copied.) 

• Passing through a second packet [Abstract and paragraph 0025-0026] 
(On abstract and on paragraph 0026, it has been disclosed that in an In an off- 
line scan mode, the packets are copied and are passing through the switch and 
on paragraph 0025, it has been disclosed that because the ports of a network 
switch are directly connected to respective physical computers in the network, the 
detection of a virus signature or a virus attack pattern by the switch allows an 
unambiguous determination of the source of the network traffic that 
contains the virus attack and this implies that the detection of the virus includes 
getting information about the packets including the source and the destination 
address of the packets and such information being part of the packets are also 
copied. It is inherently included that the second packets or the subsequent packets 
which has the same source and destination address will not be copied or saved 
but will be passed through with out being scanned since it is unnecessary to do 
so. Or the second packets which is interpreted by the office as those packets 
which are received when the system is in an on-line scan mode are instead 
scanned dynamically and forwarded to their destination ports without being 
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copied or saved and this meets the limitation, "passing through a second 
packet"^; 

• Saving the copied information; [Abstract] (As it disclosed on the 
abstract, In an off-line scan mode, a copy of the packets passing through the 
switch is saved into a packet queue for scanning.) 

• Determining whether an infection has been received, wherein the 
infection is associated with a network transmission, and wherein the 
network transmission is also associated with the first packet; [paragraph 
0027] (In one embodiment, the virus scanner 126 of the network switch 72 
processes the packets 122 in the packet queue 120 on a first-in-first-out (FIFO) 
basis. In other words, the oldest packet in the queue 120 will be scanned first for 
virus signatures or attack patterns. To scan a packet, the virus scanner 126 reads 
the content of the packet and matches it against the virus signatures stored in the 
virus information database 1 00 and determines whether this packet and 
previous packets from the same port together show a discernable pattern of virus 
attacks.) and 

• retrieving the saved information, [paragraph 0028] ( When the network 
switch 72 detects a virus signature or attack pattern in the network packets 
passing through its ports, it can take various steps to prevent the spreading of 
the virus. In a preferred embodiment, depending on the current alert set by the 
system administrator, the network switch 72 performs one of three actions. And 
on the same paragraph the following has been disclosed. "The network switch 
can alert the computer from which the virus attack originated that it is infected, 
or alert the system administrator that the computer is infected, n and in order to 
alert the computer from which the virus attack is originated the system has to 
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retrieve the source address and other information from the packets that are 
already copied and saved and finally scanned.] 

6. As per claim 2-4 and 17-21 Campbell discloses a method as applied to claims 
above. Furthermore Campbell discloses the method wherein, the information includes a 
file system location/ includes a file name or information includes a network address of a 
source computer. [Abstract and paragraph 0025-0026] (On abstract and on paragraph 
0026, it has been disclosed that in an In an off-line scan mode, the packets are copied 
and are passing through the switch and on paragraph 0025, it has been disclosed that 
because the ports of a network switch are directly connected to respective physical 
computers in the network, the detection of a virus signature or a virus attack pattern by 
the switch allows an unambiguous determination of the source of the network 
traffic that contains the virus attack and this implies that the detection of the mrus 
includes getting information about the packets including the source and the destination 
address of the packets and also other information included in the packets and such 
information being part of the packets are also copied.) 

7. As per claim 5 Campbell discloses a method as applied to claims above. 
Furthermore Campbell discloses the method wherein, the information is saved on a 
receiving computer [See figure 2]. 

Claim Rejections - 35 USC §103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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9. Claims 6-11 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Campbell et al. (hereinafter referred to as Campbell) (U.S. Publication No. 
2004/0003284 Al) (filed on Jun 26, 2002) in view of Lahti et al (hereinafter referred to 
as Lahti) (U.S. Publication No. 2005/0033975 Al) (filed on August 8, 2002) 

10. As per dependent claims 6-11 Campbell discloses a method for tracking a 
virus [Abstract] (As it has been disclosed on the abstract the method is used to detect 
possible virus attacks and identify the source of the attacks within a computer network") 
comprising: 

• Copying information from a first packet [Abstract and paragraph 
0025-0026] (On abstract and on paragraph 0026, it has been disclosed that in an 
off-line scan mode, the packets are copied and are passing through the switch 
and on paragraph 0025, it has been disclosed that because the ports of a network 
switch are directly connected to respective physical computers in the network, the 
detection of a virus signature or a virus attack pattern by the switch allows an 
unambiguous determination of the source of the network traffic that 
contains the virus attack and this implies that the detection of the virus includes 
getting information about the packets including the source and the destination 
address of the packets and such information being part of the packets are also 
copied.) 

• Passing through a second packet [Abstract and paragraph 0025-0026] 
(On abstract and on paragraph 0026, it has been disclosed that in an In an off- 
line scan mode, the packets are copied and are passing through the switch and 
on paragraph 0025, it has been disclosed that because the ports of a network 
switch are directly connected to respective physical computers in the network, the 
detection of a virus signature or a virus attack pattern by the switch allows an 
unambiguous determination of the source of the network traffic that 
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contains the virus attack and this implies that the detection of the virus includes 
getting information about the packets including the source and the destination 
address of the packets and such information being part of the packets are also 
copied. It is inherently included that the second packets or the subsequent packets 
which has the same source and destination address will not be copied or saved 
but will be passed through with out being scanned since it is unnecessary to do 
so. Or the second packets which is interpreted by the office as those packets 
which are received when the system is in an on-line scan mode are instead 
scanned dynamically and forwarded to their destination ports without being 
copied or saved and this meets the limitation, "passing through a second 
packet",/; 

• Saving the copied information; [Abstract] (As it disclosed on the 
abstract, In an offline scan mode, a copy of the packets passing through the 
switch is saved into a packet queue for scanning.) 

• Determining whether an infection has been received, wherein the 
infection is associated with a network transmission, and wherein the 
network transmission is also associated with the first packet; [paragraph 
0027] (In one embodiment, the virus scanner 126 of the network switch 72 
processes the packets 122 in the packet queue 120 on a first-in-first-out (FIFO) 
basis. In other words, the oldest packet in the queue 120 will be scanned first for 
virus signatures or attack patterns. To scan a packet, the virus scanner 126 reads 
the content of the packet and matches it against the virus signatures stored in the 
virus information database 1 00 and determines whether this packet and 
previous packets from the same port together show a discernable pattern of virus 
attacks.) and 
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• retrieving the saved information, [paragraph 0028] ( When the network 
switch 72 detects a virus signature or attack pattern in the network packets 
passing through its ports, it can take various steps to prevent the spreading of 
the virus. In a preferred embodiment, depending on the current alert set by the 
system administrator, the network switch 72 performs one of three actions. And 
on the same paragraph the following has been disclosed. "The network switch 
can alert the computer from which the virus attack originated that it is infected, 
or alert the system administrator that the computer is infected, " and in order to 
alert the computer from which the virus attack is originated the system has to 
retrieve the source address and other information from the packets that are 
already copied and saved and finally scanned.] 

Campbell does not explicitly teach that the determination of when a virus has 
been received is performed when an attempt to 
open/read/write/create/access/delete a file occurs. 

However, in the same field of endeavor, Lahti discloses that Various anti-virus 
applications are available on the market today. These tend to work by maintaining a 
database of signatures or fingerprints for known viruses. With a "real time" scanning 
application, when a user tries to perform an operation on a file, e.g. open, save, or 
copy, the request is redirected to the anti-virus application. If the application has 
no existing record of the file, the file is scanned for known virus signatures. If a virus is 
identified in a file, the anti-virus application reports this to the user, for example by 
displaying a message in a pop-up window. [Paragraph 0004] 

It would have been obvious to one having ordinary skill in the art, at the time 
the invention was made, to combine the feature of determining when a virus has 
been received is performed when an attempt open/read/write/create/access a 
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file occurs as per teachings of Lahti in to the method as taught by Campbell to 

provide security by preventing the propagation of the virus by adding the 
identity of the infected file to a register of infected files and when a subsequent 
operation on the file is requested, the anti-virus application first checks the 
register to see if the file is infected If it is infected, it can easily denies the 
access. [See Lahti paragraph 0004] 

Conclusion 

1 1 . The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. (See PTO-Form 892). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Samson B Lemma whose telephone number is 571- 
272-3806. The examiner can normally be reached on Monday-Friday (8:00 am— 4: 
30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, BARRON JR GILBERTO can be reached on 571-272-3799. 
The fax phone number for the organization where this application or proceeding is 
assigned is 703-873-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http:// pair- 
direct, uspto.gov. Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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